Dear Brian,
I think the subject has nothing to do with servlets so I think you could
reply me to: [EMAIL PROTECTED]
-----Original Message-----
From: Brian Silberbauer <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Date: 18 lipca 1999 19:08
Subject: SSL, keys and certificates
>Hi all
>
>I am developing a site for a group of clients who will be connecting to
>our site via SSL for security
>reasons. I have decided to use client authentication instead of manual
>login for added security and will
>allow the client to add users to the system via an admin certificate. ie
>All clients are issued with admin
>certs which in turn are used to generate user certs. I just need a bit
>of clarity on some issues and some
>help with others.
As I well understood the client you meen "a browser".
>
>The way I understand it:
>
>The web server has one public and private key from which you can create
>certificates.
No the web server certificate is to certify the server, so that the client
connecting the server be sure to who it "speaks". Also the server
certificate is mandatory to establish SLL connetion - client certs are
optional.
>The browser has one public and private key from which you can generate
>certificates.
No. The browser has pre-installed (browse Netscape security button to see
them) CAs' (Certification Authority ) public keys. If the server certificate
is issude by one of the CA whose public key is pre installed, the server is
verified automaticaly. If the server certificate is issued by the CA that is
not known by client (eg. your own CA ) you must install this CA's public key
then you say I trust that CA and allow it validate servers' certificates.
>If I create a web server certificate, the client needs to insert a root
>certificate into his browser, for it to
>recognize the site.
As I said no: if you buy a certificate at eg. VeriSign (whose public key is
pre-installed ) your server will be validated automatically. The better
solution is to have the server certified by the known CA.
>
>
>How do I:
>
>create the certificate
In general you do not have to create certificates - you can buy them for
server and for clients.
>generate the root certificate
>
To have the root certificate you must establish your own certificate server
(there are products of Nestcape and RSA I remember I found on Netscape site
the links to ). Any way there are two kind of root certs:
1. super core root that the client must install in his browser
2. root certified by known CA - the the certificate chain is established and
client does not need to install it
sincerely
Olek
Aleksander Grzebyta
Software Engineer
Talex SA
ul. Pultuska 10
61-052 Poznan
POLAND
e-mail : [EMAIL PROTECTED]
www: http://www.talex.com.pl
phone: +48 (0) 61 8792901 ext 127
fax: +48 (0) 61 8792917
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
